DJI Drone Hack Opens Up Flight and Video Records to Threat Actors

“Attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress”

The research team at cybersecurity firm Check Point discovered a vulnerability which allowed hackers to gain access to the flight logs and videos capture by DJI drone operators.

Headquartered in China, DJI is one of the world’s largest producer of drones and quadcopters for the consumer market.

Check Point researchers Oded Vanun, Dikla Barda and Roman Zaikin discovered that an attacker could gain access to DJI customer accounts without the account holder being aware that the saved flight paths and footage from their drones were accessible.

The vulnerability in DJI’s system lies within the identification process for account holders. The researchers note in a blog laying out their research that: “DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms.”

“Through the use of this cookie, an attacker is able to simply hijack any user’s account and take complete control over any of the user’s DJI Mobile Apps, Web Account or DJI FlightHub account.”

Second Bug

Check Point discovered a second bug in DJI’s architecture that allowed them to obtain the cookie required for identification in attacking accounts.

In order to get this cookie the team orchestrated a cross-site scripting attack (XSS) after discovering a GET request in the forum section of the website.

They constructed this XSS payload:

\’ alert(document.cookie); function updateDownImageList (data) {} <!–

The researchers note that: “An attacker could then create a payload that would send that meta-key cookie to his website. This kind of XSS would not be blocked by any XSS Auditor because it resides in the JavaScript itself and not consist of scripts or events.”

DJI Drone Hack

In order to trigger this attack all the threat actor then needed to do was to post in the DJI forum a message that contained the link to the payload.

“As our XSS resides in the forum itself we were able to bypass the link restriction. Furthermore, as there are hundreds of thousands of users communicating DJI’s forum the attacker would not even need to share the malicious link as this would be done by the users themselves as they forward on the message and link,” Check Point team stated.

From this point is was just a few more steps before they had access to user accounts on DJI’s website. From here they could synchronise their devices so that they received all the flight records and video logs of drone flights operated by DJI customers.

A key factor in the hack is that the admin or account holder would receive no notification or signs that a threat actor has complete access to their account.

As Check Point note, the “Attacker would have completely uninhibited access to login and view the drone’s camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform.”

DJI were informed of the vulnerability within their architecture back in March by Check Point and have since carried out a patch of the system. DJI classified the vulnerability as a high risk, but one with little chance of occurring. To date they have no evidence that anyone other than Check Point were aware of or used the vulnerability.